“The problem is not the existence of remote software. I think the problem is that an adversary obtained the credentials so that he could access it,” said Damon Small, Technical Director of Security Consulting at NCC Group North America.
“What this highlights, speaking as an information security professional, is the need for strong authentication when critical infrastructures are going to use these types of remote access systems.”
According to Pinellas County sheriff Bob Gualtieri and a Massachusetts government adviser to public water providers, hackers gained access to the water facility’s control systems through remote access software known as TeamViewer.
Martina Dier, a spokeswoman for TeamViewer, said an investigation found no evidence of suspicious activity on its platform.
Why remote work can lead to hacks
Eric Cole, a former CIA cybersecurity expert and author of the forthcoming book “Cyber Crisis”, said that many critical infrastructure systems, such as water treatment plants, were built as closed circuit systems and intentionally kept out of the Internet in general.
“It was necessary to go through the guards with weapons, fences, video cameras, all physical security measures to gain access,” he explained.
However, several years ago, many utility companies began putting their systems online to pave the way for remote work. The pandemic has only accelerated this process – but the increased security required to bring these systems online has not always been followed.
“These systems were never designed for that purpose and adequate security was never implemented,” he said.
Damon Small, who works with distant oil and gas companies, said there are perfectly adequate business reasons for configuring these systems to work remotely.
This can also be done safely. He offered three recommendations for strengthening these systems: 1) no shared accounts; 2) multi-factor authentication; and 3) Virtual Private Network (VPN) technology so that systems are not directly exposed to the Internet.
Still, he acknowledged that these tips are easier said than done and take time and money.
“The problem is that you can’t update something like a water treatment plant as easily as an e-mail system in a company, because a water treatment plant must be working all the time,” he said.
“We have to help all these critical infrastructures as much as we can, knowing that we don’t have the benefit of closing at 5 am every day. How do you update these things and make a system that could have been deployed two or three decades ago – how to make it resilient against 21st century attacks? “
Until such updates are made, however, similar hacks can be expected in critical infrastructure installations, Cole warned.
“They are more vulnerable than the average person or the average citizen would believe or would like to believe,” said Cole.
“I think what this shows us is that it doesn’t matter who you are, whether you are an individual, a small company or a large company, if you have vulnerabilities, you will be discovered and you are a target, and cybersecurity is your responsibility . “
Brian Fung and Alex Marquardt of CNN contributed to this report.